Does Your Organization Have a Security.txt File?

/0 Comments/in /by

It happens all the time: Organizations get hacked because there isn’t an obvious way for security researchers to let them know about security vulnerabilities or data leaks. Or maybe it isn’t entirely clear who should get the report when remote access to an organization’s internal network is being sold in the cybercrime underground.

In a bid to minimize these scenarios, a growing number of major companies are adopting “Security.txt,” a proposed new Internet standard that helps organizations describe their vulnerability disclosure practices and preferences.

An example of a security.txt file. Image: Securitytxt.org.

The idea behind Security.txt is straightforward: The organization places a file called security.txt in a predictable place — such as example.com/security.txt, or example.com/.well-known/security.txt. What’s in the security.txt file varies somewhat, but most include links to information about the entity’s vulnerability disclosure policies and a contact email address.

The security.txt file made available by USAA, for example, includes links to its bug bounty program; an email address for disclosing security related matters; its public encryption key and vulnerability disclosure policy; and even a link to a page where USAA thanks researchers who have reported important cybersecurity issues.

Other security.txt disclosures are less verbose, as in the case of HCA Healthcare, which lists a contact email address, and a link to HCA’s “responsible disclosure” policies. Like USAA and many other organizations that have published security.txt files, HCA Healthcare also includes a link to information about IT security job openings at the company.

Having a security.txt file can make it easier for organizations to respond to active security threats. For example, just this morning a trusted source forwarded me the VPN credentials for a major clothing retailer that were stolen by malware and made available to cybercriminals. Finding no security.txt file at the retailer’s site using gotsecuritytxt.com (which checks a domain for the presence of this contact file), KrebsonSecurity sent an alert to its “security@” email address for the retailer’s domain.

Many organizations have long unofficially used (if not advertised) the email address security@[companydomain] to accept reports about security incidents or vulnerabilities. Perhaps this particular retailer also did so at one point, however my message was returned with a note saying the email had been blocked. KrebsOnSecurity also sent a message to the retailer’s chief information officer (CIO) — the only person in a C-level position at the retailer who was in my immediate LinkedIn network. I still have no idea if anyone has read it.

Although security.txt is not yet an official Internet standard as approved by the Internet Engineering Task Force (IETF), its basic principles have so far been adopted by at least eight percent of the Fortune 100 companies. According to a review of the domain names for the latest Fortune 100 firms via gotsecuritytxt.com, those include Alphabet, Amazon, Facebook, HCA Healthcare, Kroger, Procter & Gamble, USAA and Walmart.

There may be another good reason for consolidating security contact and vulnerability reporting information in one, predictable place. Alex Holden, founder of the Milwaukee-based consulting firm Hold Security, said it’s not uncommon for malicious hackers to experience problems getting the attention of the proper people within the very same organization they have just hacked.

“In cases of ransom, the bad guys try to contact the company with their demands,” Holden said. “You have no idea how often their messages get caught in filters, get deleted, blocked or ignored.”

GET READY TO BE DELUGED

So if security.txt is so great, why haven’t more organizations adopted it yet? It seems that setting up a security.txt file tends to invite a rather high volume of spam. Most of these junk emails come from self-appointed penetration testers who — without any invitation to do so — run automated vulnerability discovery tools and then submit the resulting reports in hopes of securing a consulting engagement or a bug bounty fee.

This dynamic was a major topic of discussion in these Hacker News threads on security.txt, wherein a number of readers related their experience of being so flooded with low-quality vulnerability scan reports that it became difficult to spot the reports truly worth pursuing further.

Edwin “EdOverflow” Foudil, the co-author of the proposed notification standard, acknowledged that junk reports are a major downside for organizations that offer up a security.txt file.

“This is actually stated in the specification itself, and it’s incredibly important to highlight that organizations that implement this are going to get flooded,” Foudil told KrebsOnSecurity. “One reason bug bounty programs succeed is that they are basically a glorified spam filter. But regardless of what approach you use, you’re going to get inundated with these crappy, sub-par reports.”

Often these sub-par vulnerability reports come from individuals who have scanned the entire Internet for one or two security vulnerabilities, and then attempted to contact all vulnerable organizations at once in some semi-automated fashion. Happily, Foudil said, many of these nuisance reports can be ignored or grouped by creating filters that look for messages containing keywords commonly found in automated vulnerability scans.

Foudil said despite the spam challenges, he’s heard tremendous feedback from a number of universities that have implemented security.txt.

“It’s been an incredible success with universities, which tend to have lots of older, legacy systems,” he said. “In that context, we’ve seen a ton of valuable reports.”

Foudil says he’s delighted that eight of the Fortune 100 firms have already implemented security.txt, even though it has not yet been approved as an IETF standard. When and if security.txt is approved, he hopes to spend more time promoting its benefits.

“I’m not trying to make money off this thing, which came about after chatting with quite a few people at DEFCON [the annual security conference in Las Vegas] who were struggling to report security issues to vendors,” Foudil said. “The main reason I don’t go out of my way to promote it now is because it’s not yet an official standard.”

Has your organization considered or implemented security.txt? Why or why not? Sound off in the comments below.

Airwallex raises $200M at a $4B valuation to double down on business banking

/0 Comments/in /by

Business, now more than ever before, is going digital, and today a startup that’s building a vertically integrated solution to meet business banking needs is announcing a big round of funding to tap into the opportunity. Airwallex — which provides business banking services directly to businesses themselves as well as via a set of APIs that power other companies’ fintech products — has raised $200 million, a Series E round of funding that values the Australian startup at $4 billion.

Lone Pine Capital is leading the round, with new backers G Squared and Vetamer Capital Management, and previous backers 1835i Ventures (formerly ANZi), DST Global, Salesforce Ventures and Sequoia Capital China also participating.

The funding brings the total raised by Airwallex — which has head offices in Hong Kong and Melbourne, Australia — to $700 million, including a $100 million injection that closed out its Series D just six months ago.

Cross-border fintech Airwallex raises $100M Series D extension at new valuation of $2.6B

Airwallex will be using the funding both to continue investing in its product and technology as well as to continue its geographical expansion and to focus on some larger business targets. The company has started to make some headway into Europe and the U.K. and that will be one big focus, along with the U.S.

The quick succession of funding and rising valuation underscore Airwallex’s traction to date around what CEO and co-founder Jack Zhang describes as a vertically integrated strategy.

That involves two parts. First, Airwallex has built all the infrastructure for the business banking services that it provides directly to businesses with a focus on small and medium enterprise customers. Second, it has packaged up that infrastructure into a set of APIs that a variety of other companies use to provide financial services directly to their customers without needing to build those services themselves — the so-called “embedded finance” approach.

“We want to own the whole ecosystem,” Zhang said to me. “We want to be like the Apple of business finance.”

That seems to be working out so far for Airwallex. Revenues were up almost 150% for the first half of 2021 compared to a year before, with the company processing more than US$20 billion for a global client portfolio that has quadrupled in size. In addition to tens of thousands of SMEs, it also, via APIs, powers financial services for other companies like GOAT, Papaya Global and Stake.

Airwallex got its start like many of the strongest startups do: It was built to solve a problem that the founders encountered themselves. In the case of Airwallex, Zhang tells me he had actually been working on a previous startup idea. He wanted to build the “Blue Bottle Coffee” of Asia Pacific out of Australia, and it involved buying and importing a lot of different materials, packaging and, of course, coffee from all around the world.

“We found that making payments as a small business was slow and expensive,” he said, since it involved banks in different countries and different banking systems, manual efforts to transfer money between them and many days to clear the payments. “But that was also my background — payments and trading — and so I decided that it was a much more fascinating problem for me to work on and resolve.”

Eventually one of his co-founders in the coffee effort came along, with the four co-founders of Airwallex ultimately including Zhang, along with Xijing Dai, Lucy Liu and Max Li.

It was 2014, and Airwallex got attention from VCs early on in part for being in the right place at the right time. A wave of startups building financial services for SMBs were definitely gaining ground in North America and Europe, filling a long-neglected hole in the technology universe, but there was almost nothing of the sort in the Asia Pacific region, and in those earlier days solutions were highly regionalized.

From there it was a no-brainer that starting with cross-border payments, the first thing Airwallex tackled, would soon grow into a wider suite of banking services involving payments and other cross-border banking services.

“In the last six years, we’ve built more than 50 bank integrations and now offer payments across 95 countries, payments through a partner network,” he added, with 43 of those offering real-time transactions. From that, it moved on to bank accounts and “other primitive stuff” with card issuance and more, he said, eventually building an end-to-end payment stack. 

Airwallex has tens of thousands of customers using its financial services directly, and they make up about 40% of its revenues today. The rest is the interesting turn the company decided to take to expand its business.

Airwallex had built all of its technology from the ground up itself, and it found that — given the wave of new companies looking for more ways to engage customers and become their one-stop shop — there was an opportunity to package that tech up in a set of APIs and sell that on to a different set of customers, those who also provided services for small businesses. That part of the business now accounts for 60% of Airwallex’s business, Zhang said, and is growing faster in terms of revenues. (The SMB business is growing faster in terms of customers, he said.)

A lot of embedded finance startups that base their business around building tech to power other businesses tend to stay at arm’s length from offering financial services directly to consumers. The explanation I have heard is that they do not wish to compete against their customers. Zhang said that Airwallex takes a different approach, by being selective about the customers they partner with, so that the financial services they offer would never be the kind that would not be in direct competition. The GOAT marketplace for sneakers, or Papaya Global’s HR platform are classic examples of this.

Checkout is the key to frictionless B2B e-commerce

However, as Airwallex continues to grow, you can’t help but wonder whether one of those partners might like to gobble up all of Airwallex and take on some of that service provision role itself. In that context, it’s very interesting to see Salesforce Ventures returning to invest even more in the company in this round, given how widely the company has expanded from its early roots in software for salespeople into a massive platform providing a huge range of cloud services to help people run their businesses.

For now, it’s been the combination of its unique roots in Asia Pacific, plus its vertical approach of building its tech from the ground up, plus its retail acumen that has impressed investors and may well see Airwallex stay independent and grow for some time to come.

“Airwallex has a clear competitive advantage in the digital payments market,” said David Craver, MD at Lone Pine Capital, in a statement. “Its unique Asia-Pacific roots, coupled with its innovative infrastructure, products and services, speak volumes about the business’ global growth opportunities and its impressive expansion in the competitive payment providers space. We are excited to invest in Airwallex at this dynamic time, and look forward to helping drive the company’s expansion and success worldwide.”

Updated to note that the coffee business was in Australia, not Hong Kong.

Flippa raises $11M to match online asset and business buyers, sellers

/0 Comments/in /by

Flippa, an online marketplace to buy and sell online businesses and digital assets, announced its first venture-backed round, an $11 million Series A, as it sees over 600,000 monthly searches from investors looking to connect with business owners.

OneVentures led the round and was joined by existing investors Andrew Walsh (former Hitwise CEO), Flippa co-founders Mark Harbottle and Matt Mickiewicz, 99designs, as well as new investors Catch.com.au founders Gabby and Hezi Leibovich; RetailMeNot.com founders Guy King and Bevan Clarke; and Reactive Media founders Tim O’Neill and Tim Fouhy.

The company, with bases in both Austin and Australia, was started in 2009 and facilitates exits for millions of online business owners, some that operate on e-commerce marketplaces, blogs, SaaS and apps, the newest data integration being for Shopify, Blake Hutchison, CEO of Flippa, told TechCrunch.

Berlin Brands Group, now valued at $1B+, raises $700M to buy and scale merchants that sell on marketplaces like Amazon

He considers Flippa to be “the investment bank for the 99%,” of small businesses, providing an end-to end platform that includes a proprietary valuation product for businesses — processing over 4,000 valuations each month — and a matching algorithm to connect with qualified buyers.

Business owners can sell their companies directly through the platform and have the option to bring in a business broker or advisor. The company also offers due diligence and acquisition financing from Thrasio-owned Yardline Capital and a new service called Flippa Legal.

“Our strategy is verification at the source, i.e. data,” Hutchison said. “Users can currently connect to Stripe, QuickBooks Online, WooCommerce, Google Analytics and Admob for apps, which means they can expose their online business performance with one-click, and buyers can seamlessly assess financial and operational performance.”

Online retail, as a share of total retail sales, grew to 19.6% in 2020, up from 15.8% in 2019, driven largely by the global pandemic as sales shifted online while brick-and-mortar stores closed.

Meanwhile, Amazon has 6 million sellers, and Shopify sellers run over 1 million businesses. This has led to an emergence of e-commerce aggregators, backed by venture capital dollars, that are scooping up successful businesses to grow, finding many through Flippa’s marketplace, Hutchison said.

Flippa has over 3 million registered users and added 300,000 new registered users in the past 12 months. Overall transaction volume grows 100% year over year. Though being bootstrapped for over a decade, the company’s growth and opportunity drove Hutchison to go after venture capital dollars.

“There is a huge movement toward this being recognized as an asset class,” he said. “At the moment, the asset class is undervalued and driving a massive swarm as investors snap up businesses and aggregate them together. We see the future of these aggregators becoming ‘X company for apps’ or ‘X for blogs.’ ”

As such, the new funding will be used to double the company’s headcount to more than 100 people as it builds out its offices globally, as well as establishing outposts in Melbourne, San Francisco and Austin. The company will also invest in marketing and product development to scale its business valuation tool that Hutchison likens to the “Zillow Zestimate,” but for online businesses.

Nigel Dews, operating partner at OneVentures, has been following Flippa since it started. His firm is one of the oldest venture capital firms in Australia and has 30 companies in its portfolio focused on healthcare and technology.

He believes the company will create meaningful change for small businesses. The team combined with Flippa’s ability to connect buyers and sellers puts the company in a strong leadership position to take advantage of the marketplace effect.

“Flippa is an incredible opportunity for us,” he added. “You don’t often get a world-leading business in a brand new category with incredible tailwinds. We also liked that the company is based in Australia, but half of its revenue comes from the U.S.”

E-commerce roll-ups are the next wave of disruption in consumer packaged goods

Bzaar bags $4M to enable US retailers to source home, lifestyle products from India

/0 Comments/in /by

Small businesses in the U.S. now have a new way to source home and lifestyle goods from new manufacturers. Bzaar, a business-to-business cross-border marketplace, is connecting retailers with over 50 export-ready manufacturers in India.

The U.S.-based company announced Monday that it raised $4 million in seed funding, led by Canaan Partners, and including angel investors Flipkart co-founder Binny Bansal, PhonePe founders Sameer Nigam and Rahul Chari, Addition founder Lee Fixel and Helion Ventures co-founder Ashish Gupta.

Nishant Verman and Prasanth Nair co-founded Bzaar in 2020 and consider their company to be like a “fair without borders,” Verman put it. Prior to founding Bzaar, Verman was at Bangalore-based Flipkart until it was acquired by Walmart in 2018. He then was at Canaan Partners in the U.S.

“We think the next 10 years of global trade will be different from the last 100 years,” he added. “That’s why we think this business needs to exist.”

Traditionally, small U.S. buyers did not have feet on the ground in manufacturing hubs, like China, to manage shipments of goods in the same way that large retailers did. Then Alibaba came along in the late 1990s and began acting as a gatekeeper for cross-border purchases, Verman said. U.S. goods imports from China totaled $451.7 billion in 2019, while U.S. goods imports from India in 2019 were $87.4 billion.

Bzaar screenshot. Image Credits: Bzaar

Small buyers could buy home and lifestyle goods, but it was typically through the same sellers, and there was not often a unique selection, nor were goods available handmade or using organic materials, he added.

With Bzaar, small buyers can purchase over 10,000 wholesale goods on its marketplace from other countries like India and Southeast Asia. The company guarantees products arrive within two weeks and manage all of the packaging logistics and buyer protection.

Verman and Nair launched the marketplace in April and had thousands users in three continents purchasing from the platform within six months. Meanwhile, products on Bzaar are up to 50% cheaper than domestic U.S. platforms, while SKU selection is growing doubling every month, Verman said.

The new funding will enable the company to invest in marketing to get in front of buyers and invest on its technology to advance its cataloging feature so that goods pass through customs seamlessly. Wanting to provide new features for its small business customers, Verman also intends to create a credit feature to enable buyers to pay in installments or up to 90 days later.

“We feel this is a once-in-a-lifetime shift in how global trade works,” he added. “You need the right team in place to do this because the problem is quite complex to take products from a small town in Vietnam to Nashville. With our infrastructure in place, the good news is there are already shops and buyers, and we are stitching them together to give buyers a seamless experience.”

Startups are transforming global trade in the COVID-19 era

 

Fivetran hauls in $565M on $5.6B valuation, acquires competitor HVR for $700M

/0 Comments/in /by

Fivetran, the data connectivity startup, had a big day today. For starters it announced a $565 million investment on a $5.6 billion valuation, but it didn’t stop there. It also announced its second acquisition this year, snagging HVR, a data integration competitor that had raised more than $50 million, for $700 million in cash and stock.

The company last raised a $100 million Series C on a $1.2 billion valuation, increasing the valuation by over 5x. As with that Series C, Andreessen Horowitz was back leading the round, with participation from other double dippers General Catalyst, CEAS Investments, Matrix Partners and other unnamed firms or individuals. New investors ICONIQ Capital, D1 Capital Partners and YC Continuity also came along for the ride. The company reports it has now raised $730 million.

The HVR acquisition represents a hefty investment for the startup, grabbing a company for a price that is almost equal to all the money it has raised to date, but it provides a way to expand its market quickly by buying a competitor. Earlier this year Fivetran acquired Teleport Data as it continues to add functionality and customers via acquisition.

“The acquisition — a cash and stock deal valued at $700 million — strengthens Fivetran’s market position as one of the data integration leaders for all industries and all customer types,” the company said in a statement.

Fivetran snares $100M Series C on $1.2B valuation for data connectivity solution

While that may smack of corporate marketing-speak, there is some truth to it, as pulling data from multiple sources, sometimes in siloed legacy systems, is a huge challenge for companies, and both Fivetran and HVR have developed tools to provide the pipes to connect various data sources and put it to work across a business.

Data is central to a number of modern enterprise practices, including customer experience management, which takes advantage of customer data to deliver customized experiences based on what you know about them, and data is the main fuel for machine learning models, which use it to understand and learn how a process works. Fivetran and HVR provide the nuts and bolts infrastructure to move the data around to where it’s needed, connecting to various applications like Salesforce, Box or Airtable, databases like Postgres SQL or data repositories like Snowflake or Databricks.

Whether bigger is better remains to be seen, but Fivetran is betting that it will be in this case as it makes its way along the startup journey. The transaction has been approved by both companies’ boards. The deal is still subject to standard regulatory approval, but Fivetran is expecting it to close in October.

The Good, the Bad and the Ugly in Cybersecurity – Week 38

/0 Comments/in /by

The Good

A few new developments occured this week in the saga that is REvil ransomware. First off, REvil appears to have reactivated its infrastructure and has renewed its attacks, so far on a slightly smaller scale. New victims are appearing on their blog, and affiliates have resurfaced in specific underground forums in an effort to save some face and assure the world that they are kind and gentle cybercriminals.

However, the good news is that this week we also saw the release of a “master decrypter” for previous REvil victims.

The decrypter was the fruit of a joint collaboration between Bitdefender and “trusted law enforcement partners’. While it won’t help victims of the latest wave of REvil attacks, it does provide a simple and effective way for those who were hit prior to REvil’s recent hiatus after the Kaseya and other high profile attacks to recover previously encrypted assets. As a reminder, SentinelOne Singularity will prevent REvil ransomware attacks as well as the associated TTPs.

The Bad

This was a particularly colorful week with regards to Apple and their emergency patch for a set of security vulnerabilities that enabled the deployment and use of NSO Group spyware. At the heart of these matters is an exploit dubbed FORCEDENTRY, which takes advantage of a vulnerability in Apple’s Core Graphics framework.

What makes FORCEDENTRY so worrisome for users is that it does not require any user interaction to exploit, and since CoreGraphics is common to all Apple’s OS platforms, it can be leveraged against Apple’s iOS, iPadOS, watchOS, and macOS devices. Needless to say, the potentially exposed population is quite large and diverse. The flaw was originally reported by the Citizen Lab, who discovered it during an investigation into an iOS device belonging to a Saudi activist. The device had been infected by the NSO Group’s Pegasus spyware.

The bug was assigned CVE-2021-30860, and an emergency patch was released on September 13, 2021. It is believed that this flaw has been actively used against high-profile targets in the activist world as early as June 2020. Specially-crafted PDF documents can be used to deliver the exploit to targets, and it is simply the act of the receiving the PDF that leads to the infection. A truly scary zero-click exploit.

Apple has released updates to address this and other issues. However, users of older systems be aware: on the Mac, only Catalina and Big Sur have been patched for this vulnerability, so the almost 20% of Mac users still running macOS Mojave and earlier are out of luck. iPhone users require iOS 14.8 or later to receive the fix, while watchOS needs to be running 7.6.2 or higher.

The Ugly

This week, three agents tied to “Project Ravenadmitted to working against the United States government at the direction of the United Arab Emirates.

Under a deal designed to avoid prosecution, the three operatives were held to admit to working as spies for the U.A.E and ultimately violating U.S. laws, including the selling of military secrets and technology. As part of “Project Raven”, the individuals were responsible for multiple intrusions into networks within the borders of the United States. In addition, they located and stole “sophisticated cyber intrusion tools” without the obviously required permission. These individuals were all considered lone “mercenaries” or “hackers-for-hire”.

While the full outcome is yet to be determined, the deal they struck appears to require the agents to pay a sum of $1.69 million dollars and to relinquish all security clearance privileges in the United States.

On another note, this week SentinelLabs disclosed details around CVE-2021-3437, an HP OMEN Gaming Hub Escalation of Privilege and Denial of Service vulnerability in HP OMEN PCs. This high-severity flaw affects millions of HP devices and can be exploited to achieve kernel-level privileges, potentially offering full control of the targeted host. While gaming PCs aren’t usually found on the enterprise network, a vulnerable device in the home could be just as harmful to work when so many of us are connecting our company devices to our home networks these days.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Ketch raises another $20M as demand grows for its privacy data control platform

/0 Comments/in /by

Six months after securing a $23 million Series A round, Ketch, a startup providing online privacy regulation and data compliance, brought in an additional $20 million in A1 funding, this time led by Acrew Capital.

Returning with Acrew for the second round are CRV, super{set} (the startup studio founded by Ketch’s co-founders CEO Tom Chavez and CTO Vivek Vaidya), Ridge Ventures and Silicon Valley Bank. The new investment gives Ketch a total of $43 million raised since the company came out of stealth earlier this year.

In 2020, Ketch introduced its data control platform for programmatic privacy, governance and security. The platform automates data control and consent management so that consumers’ privacy preferences are honored and implemented.

Ketch raises $23M to automate privacy and data compliance

Enterprises are looking for a way to meet consumer needs and accommodate their rights and consents. At the same time, companies want data to fuel their growth and gain the trust of consumers, Chavez told TechCrunch.

There is also a matter of security, with much effort going into ransomware and malware, but Chavez feels a big opportunity is to bring security to the data wherever it lies. Once the infrastructure is in place for data control it needs to be at the level of individual cells and rows, he said.

“If someone wants to be deleted, there is a challenge in finding your specific row of data,” he added. “That is an exercise in data control.”

Ketch’s customer base grew by more than 300% since its March Series A announcement, and the new funding will go toward expanding its sales and go-to-market teams, Chavez said.

Ketch app. Image Credits: Ketch

This year, the company launched Ketch OTC, a free-to-use privacy tool that streamlines all aspects of privacy so that enterprise compliance programs build trust and reduce friction. Customer growth through OTC increased five times in six months. More recently, Qonsent, which developing a consent user experience, is using Ketch’s APIs and infrastructure, Chavez said.

When looking for strategic partners, Chavez and Vaidya wanted to have people around the table who have a deep context on what they were doing and could provide advice as they built out their products. They found that in Acrew founding partner Theresia Gouw, whom Chavez referred to as “the OG of privacy and security.”

Gouw has been investing in security and privacy for over 20 years and says Ketch is flipping the data privacy and security model on its head by putting it in the hands of developers. When she saw more people working from home and more data breaches, she saw an opportunity to increase and double down on Acrew’s initial investment.

She explained that Ketch is differentiating itself from competitors by taking data privacy and security and tying it to the data itself to empower software developers. With the OTC tool, similar to putting locks and cameras on a home, developers can download the API and attach rules to all of a user’s data.

“The magic of Ketch is that you can take the security and governance rules and embed them with the software and the piece of data,” Gouw added.

3 adtech and martech VCs see major opportunities in privacy and compliance

Defy Partners leads $3M round into sales intelligence platform Aircover

/0 Comments/in /by

Aircover raised $3 million in seed funding to continue developing its real-time sales intelligence platform.

Defy Partners led the round with participation from Firebolt Ventures, Flex Capital, Ridge Ventures and a group of angel investors.

The company, headquartered in the Bay Area, aims to give sales teams insights relevant to closing the sale as they are meeting with customers. Aircover’s conversational AI software integrates with Zoom and automates parts of the sales process to lead to more effective conversations.

“One of the goals of launching the Zoom SDK was to provide developers with the tools they need to create valuable and engaging experiences for our mutual customers and integrations ecosystem,” said Zoom’s CTO Brendan Ittelson via email. “Aircover’s focus on building sales intelligence directly into the meeting, to guide customer-facing teams through the entire sales cycle, is the type of innovation we had envisioned when we set out to create a broader platform.”

Aircover’s founding team of Andrew Levy, Alex Young and Andrew’s brother David Levy worked together at Apteligent, a company co-founded and led by Andrew Levy, that was sold to VMware in 2017.

Chatting about pain points on the sales process over the years, Levy said it felt like the solution was always training the sales team more. However, by the time everyone was trained, that information would largely be out-of-date.

Instead, they created Aircover to be a software tool on top of video conferencing that performs real-time transcription of the conversation and then analysis to put the right content in front of the sales person at the right time based on customer issues and questions. This means that another sales expert doesn’t need to be pulled in or an additional call scheduled to provide answers to questions.

“We are anticipating that knowledge and parsing it out at key moments to provide more leverage to subject matter experts,” Andrew Levy told TechCrunch. “It’s like a sales assistant coming in to handle any issue.”

He considers Aircover in a similar realm with other sales team solutions, like Chorus.ai, which was recently scooped up by ZoomInfo, and Gong, but sees his company carving out space in real-time meeting experiences. Other tools also record the meetings, but to be reviewed after the call is completed.

“That can’t change the outcome of the sale, which is what we are trying to do,” Levy added.

The new funding will be used for product development. Levy intends to double his small engineering team by the end of the month.

He calls what Aircover is doing a “large interesting problem we are solving that requires some difficult technology because it is real time,” which is why the company was eager to partner with Bob Rosin, partner at Defy Partners, who joins Aircover’s board of directors as part of the investment.

Rosin joined Defy in 2020 after working on the leadership teams of Stripe, LinkedIn and Skype. He said sales and customer teams need tools in the moment, and while some are useful in retrospect, people want them to be live, in front of the customer.

“In the early days, tools helped before and after, but in the moment when they need the most help, we are not seeing many doing it,” Rosin added. “Aircover has come up with the complete solution.”

The essential revenue software stack

 

Zoom looks beyond video conferencing as triple-digit 2020 growth begins to slow

/0 Comments/in /by

It’s been a heady 12-18 months for Zoom, the decade-old company that experienced monster 2020 growth and more recently, a mega acquisition with the $14.7 billion Five9 deal in July. That addition is part of a broader strategy the company has been undertaking the last couple of years to move beyond its core video conferencing market into adjacencies like phone, meeting management and messaging, among other things. Here’s a closer look at how the plan is unfolding.

As the pandemic took hold in March 2020, everyone from businesses to schools to doctors and and places of worship moved online. As they did, Zoom video conferencing became central to this cultural shift and the revenue began pouring in, ushering in a period of sustained triple-digit growth for the company that only recently abated.

Trial Ends in Guilty Verdict for DDoS-for-Hire Boss

/0 Comments/in /by

A jury in California today reached a guilty verdict in the trial of Matthew Gatrel, a St. Charles, Ill. man charged in 2018 with operating two online services that allowed paying customers to launch powerful distributed denial-of-service (DDoS) attacks against Internet users and websites. Gatrel’s conviction comes roughly two weeks after his co-conspirator pleaded guilty to criminal charges related to running the services.

The user interface for Downthem[.]org.

Prosecutors for the Central District of California charged Gatrel, 32, and his business partner Juan “Severon” Martinez of Pasadena, Calif. with operating two DDoS-for-hire or “booter” services — downthem[.]org and ampnode[.]com.

Despite admitting to FBI agents that he ran these booter services (and turning over plenty of incriminating evidence in the process), Gatrel opted to take his case to trial, defended the entire time by public defenders. Facing the prospect of a hefty sentence if found guilty at trial, Martinez pleaded guilty on Aug. 26 to one count of unauthorized impairment of a protected computer.

Gatrel was convicted on all three charges of violating the Computer Fraud and Abuse Act, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer.

Investigators say Downthem helped some 2,000 customers launch debilitating digital assaults at more than 200,000 targets, including many government, banking, university and gaming Web sites.

Prosecutors alleged that in addition to running and marketing Downthem, the defendants sold huge, continuously updated lists of Internet addresses tied to devices that could be used by other booter services to make attacks far more powerful and effective. In addition, other booter services also drew firepower and other resources from Ampnode.

Booter and stresser services let customers pick from among a variety of attack methods, but almost universally the most powerful of these methods involves what’s known as a “reflective amplification attack.” In such assaults, the perpetrators leverage unmanaged Domain Name Servers (DNS) or other devices on the Web to create huge traffic floods.

Ideally, DNS servers only provide services to machines within a trusted domain — such as translating an Internet address from a series of numbers into a domain name, like example.com. But DNS reflection attacks rely on consumer and business routers and other devices equipped with DNS servers that are (mis)configured to accept queries from anywhere on the Web.

Attackers can send spoofed DNS queries to these DNS servers, forging the request so that it appears to come from the target’s network. That way, when the DNS servers respond, they reply to the spoofed (target) address.

The bad guys also can amplify a reflective attack by crafting DNS queries so that the responses are much bigger than the requests. For example, an attacker could compose a DNS request of less than 100 bytes, prompting a response that is 60-70 times as large. This “amplification” effect is especially pronounced if the perpetrators query dozens of DNS servers with these spoofed requests simultaneously.

The government charged that Gatrel and Martinez constantly scanned the Internet for these misconfigured devices, and then sold lists of Internet addresses tied to these devices to other booter service operators.

Gatrel’s sentencing is scheduled for January 27, 2022. He faces a statutory maximum sentence of 35 years in federal prison. However, given the outcome of past prosecutions against other booter service operators, it seems unlikely that Gatrel will spend much time in jail.

The case against Gatrel and Martinez was brought as part of a widespread crackdown on booter services in Dec. 2018, when the FBI joined with law enforcement partners overseas to seize 15 different booter service domains.

Federal prosecutors and DDoS experts interviewed at the time said the operation had three main goals: To educate people that hiring DDoS attacks is illegal, to destabilize the flourishing booter industry, and to ultimately reduce demand for booter services.

The jury is still out on whether any of those goals have been achieved with lasting effect.

The original complaint against Gatrel and Martinez is here (PDF).